Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl自动部署错误,服务直接崩溃 #237

Open
4 tasks done
gitchw opened this issue Jan 6, 2025 · 16 comments
Open
4 tasks done

ssl自动部署错误,服务直接崩溃 #237

gitchw opened this issue Jan 6, 2025 · 16 comments

Comments

@gitchw
Copy link
Contributor

gitchw commented Jan 6, 2025
edited
Loading

完整性要求 / Integrity requirements

  • 我保证阅读了文档,了解所有我编写的配置文件项的含义,而不是大量堆砌看似有用的选项或默认值。
  • 我提供了完整的配置文件和日志,而不是出于自己的判断只给出截取的部分。
  • 我搜索了issues,没有发现已提出的类似问题。
  • 我已经阅读了项目Readme常见问题

版本

2.8

服务端配置

服务端日志


ogin: Mon Jan  6 02:22:40 2025 from 47.129.169.51
root@HKGTUju0XC9FuQ:~# docker logs -f --tail 100 b209db6ef130
[info][2025-01-06 09:57:37][/work/controllers/setup.go:19]AcmeChallenge: /.well-known/acme-challenge/7DswvMY3nNKJxmIlrd3fLUeznmkCR4Arc7H6isFYMIU
[info][2025-01-06 09:57:37][/work/controllers/setup.go:19]AcmeChallenge: /.well-known/acme-challenge/7DswvMY3nNKJxmIlrd3fLUeznmkCR4Arc7H6isFYMIU
[info][2025-01-06 09:57:37][/work/controllers/setup.go:19]AcmeChallenge: /.well-known/acme-challenge/7DswvMY3nNKJxmIlrd3fLUeznmkCR4Arc7H6isFYMIU
2025/01/06 09:57:39 [INFO] [mail.xn--wxy.cn] The server validated our request
2025/01/06 09:57:39 [INFO] [mail.xn--wxy.cn, smtp.xn--wxy.cn, pop.xn--wxy.cn, imap.xn--wxy.cn] acme: Validations succeeded; requesting certificates
2025/01/06 09:57:41 [INFO] [mail.xn--wxy.cn] Server responded with a certificate.
[info][2025-01-06 09:57:41][/work/services/setup/ssl/ssl.go:224]证书校验通过!
[info][2025-01-06 09:57:41][/work/listen/http_server/setup_server.go:71]Setup End!
[info][2025-01-06 09:57:41][/work/services/setup/ssl/ssl.go:317]SSL certificate remaining time is only 89 days, renew SSL certificate.
2025/01/06 09:57:42 [INFO] acme: Trying to resolve account by key
[info][2025-01-06 09:57:42][/work/services/setup/ssl/ssl.go:136]wait ssl renew
2025/01/06 09:57:42 [INFO] [mail.xn--wxy.cn, smtp.xn--wxy.cn, pop.xn--wxy.cn, imap.xn--wxy.cn] acme: Obtaining bundled SAN certificate
panic: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: too many certificates (5) already issued for this exact set of domains in the last 168h0m0s, retry after 2025-01-07 11:35:39 UTC: see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames

goroutine 1 [running]:

github.com/Jinnrry/pmail/services/setup/ssl.renewCertificate(0xc000492840, 0xc000002480)

/work/services/setup/ssl/ssl.go:139 +0x988

github.com/Jinnrry/pmail/services/setup/ssl.GenSSL(0x1)

/work/services/setup/ssl/ssl.go:269 +0xae

github.com/Jinnrry/pmail/services/setup/ssl.Update(0x0)

/work/services/setup/ssl/ssl.go:319 +0x12f

github.com/Jinnrry/pmail/res_init.Init({0xf09fc0, 0x6})

/work/res_init/init.go:35 +0xac

main.main()

/work/main.go:37 +0x26f

Root Path: /work/

[info][2025-01-06 10:01:04][/work/main.

描述

Screenshot_2025-01-06-10-50-48-21_c5f0134a4c551757558202025a96fea6
如图,在初始化的时候,他已经成功获取了证书
但是为什么后面又在尝试自动更新证书?并且触发了证书厂商的时间限制,如果只是触发了,也没啥,也已经有现成的证书能用了,但是服务会自动崩溃,在配置文件,把自动获取证书给关掉,重启服务才能正常使用

重现方式

触发每7天五次的证书获取限制,重新运行软件
@Jinnrry
Copy link
Owner

Jinnrry commented Jan 6, 2025

openssl x509 -in [证书路径]/public.crt -text -noout

使用这个命令看下证书信息呢,X509v3 Subject Alternative Name:看下这个字段里面有没有imap开头的域名。

2.8.0版本支持了imap协议,为了兼容老版本,因此更新证书的时候做了判断,如果证书不包含imap协议的域名,就强制重新生成证书

@Jinnrry
Copy link
Owner

Jinnrry commented Jan 6, 2025

额,我好像知道了,你是不是没有把imap.[xxxx]域名指向服务器?这个时候v2.8.0版本申请imap域名证书会失败,证书一直重试,重试到超出限制

@gitchw
Copy link
Contributor Author

gitchw commented Jan 6, 2025

额,我好像知道了,你是不是没有把imap.[xxxx]域名指向服务器?这个时候v2.8.0版本申请imap域名证书会失败,证书一直重试,重试到超出限制

怎么可能呀?ping imap.皓.cn
PING imap.皓.cn (69.165.67.xxc) 56(84) bytes of data.

然后下面是关于你说的上面一条命令的,输出,似乎是有的Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:4e:b4:f4:1e:86:dc:c9:c2:c7:5d:d6:02:a8:63:0a:cd:f6
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R10
Validity
Not Before: Jan 6 00:59:10 2025 GMT
Not After : Apr 6 00:59:09 2025 GMT
Subject: CN = mail.xn--wxy.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d0:6c:82:4b:a3:2e:78:d8:90:aa:2e:d8:8d:03:
bf:b0:b5:4e:16:ba:aa:21:e0:8d:48:27:62:b0:61:
9f:8d:92:9d:79:17:b5:dc:a2:b0:4e:55:e9:01:76:
08:42:e1:d9:55:5a:13:ad:27:df:90:89:fc:66:fd:
81:f8:08:ac:b7:ff:4f:fd:2f:b5:fe:f1:1f:f9:04:
eb:2f:30:be:96:46:11:8e:5f:e0:49:fe:f2:a8:bb:
ae:33:6b:b3:f8:bf:0f:4d:34:35:84:f8:f9:53:4c:
26:92:b5:41:41:f0:07:c1:83:60:6f:05:4e:83:5e:
2f:51:c0:81:20:23:ff:99:1a:6f:d8:64:8b:5c:3a:
67:d2:97:57:97:9c:0f:26:83:91:4b:1b:7d:bf:ee:
bf:88:5e:9c:f7:55:38:45:de:55:95:82:30:73:fc:
6c:34:63:a4:89:c8:e7:f7:a6:c3:c1:48:14:08:01:
b5:e2:0e:21:77:93:f7:11:a4:e3:8c:7a:b2:fc:97:
10:c8:f9:d7:3b:94:17:12:eb:30:44:a7:d4:49:26:
4e:74:ad:43:05:21:82:9f:aa:ef:5d:e8:d1:ea:e2:
69:fc:b8:a3:47:be:ec:f2:5e:97:d9:69:b5:64:03:
f0:80:fc:96:b2:ea:5f:31:80:1c:38:90:d3:8e:31:
c9:d1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
DC:14:CB:3B:86:12:11:4A:1C:09:10:B4:E1:1B:B5:3E:A4:5E:89:8A
X509v3 Authority Key Identifier:
BB:BC:C3:47:A5:E4:BC:A9:C6:C3:A4:72:0C:10:8D:A2:35:E1:C8:E8
Authority Information Access:
OCSP - URI:http://r10.o.lencr.org
CA Issuers - URI:http://r10.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:imap.xn--wxy.cn, DNS:mail.xn--wxy.cn, DNS:pop.xn--wxy.cn, DNS:smtp.xn--wxy.cn
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A2:E3:0A:E4:45:EF:BD:AD:9B:7E:38:ED:47:67:77:53:
D7:82:5B:84:94:D7:2B:5E:1B:2C:C4:B9:50:A4:47:E7
Timestamp : Jan 6 01:57:40.794 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:E6:63:B5:22:87:71:54:60:8E:9E:4E:
7A:EF:F2:52:33:E6:DF:89:70:A5:F2:DF:86:62:55:B2:
96:F7:9B:86:89:02:20:32:50:BB:44:FE:1A:37:88:16:
A4:8E:CF:96:81:22:A5:27:DA:BF:F2:75:BA:CB:1B:E7:
94:FE:01:49:8A:65:B4
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 4E:75:A3:27:5C:9A:10:C3:38:5B:6C:D4:DF:3F:52:EB:
1D:F0:E0:8E:1B:8D:69:C0:B1:FA:64:B1:62:9A:39:DF
Timestamp : Jan 6 01:57:40.795 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:79:26:77:CE:A2:D1:DA:BC:13:BF:AE:33:
99:42:15:69:33:F9:2C:EC:E1:51:2F:27:6E:69:FD:F6:
ED:4C:1B:68:02:20:72:34:2C:6D:DD:42:99:6E:A3:AD:
D8:FB:59:D0:14:EB:09:FE:84:09:29:26:22:7E:83:36:
58:E0:6E:EB:BD:BB
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
03:55:6a:9a:43:05:7a:47:b4:15:d0:88:e2:90:62:fd:13:78:
ca:c0:b7:6a:31:a6:6e:cc:e7:ba:97:c6:e6:f2:54:4f:5a:cd:
ec:8d:91:50:05:fb:23:f7:07:54:d8:2f:05:43:a3:9f:ac:35:
21:34:3d:06:d4:ec:74:84:23:8e:9b:b2:5d:7f:fe:67:da:5d:
e0:c1:12:85:ff:ac:19:b6:82:00:6a:92:ed:f5:02:69:ec:5e:
68:64:1a:12:92:13:58:e3:70:05:a8:32:6d:38:56:52:6e:23:
da:94:d4:a5:23:7b:4d:ad:17:16:f1:84:16:cd:cd:e9:a3:da:
1e:53:e5:f1:7c:8a:86:dd:cf:26:90:32:1c:8e:63:3c:e8:3d:
a6:cf:cb:77:3b:8a:4e:0b:74:58:e9:13:bf:30:c8:12:6f:65:
b9:bd:d0:f3:9d:73:a7:df:b4:19:1d:2e:4a:5f:d8:5a:91:ba:
25:6d:a0:c2:43:9e:f6:4c:17:9e:a6:41:7e:07:8a:82:88:91:
f8:58:cd:62:c5:d0:04:c7:4f:9b:e6:36:fa:d2:1f:b1:c9:04:
38:b1:b9:7a:cc:08:45:e6:3b:bc:2c:66:91:d2:6b:f6:3a:51:
a3:76:86:85:db:c5:48:b9:19:22:52:15:43:dd:47:6e:ef:df:
5a:9c:6e:42
root@HKGTUju0XC9FuQ:~#

Connection lost

@gitchw
Copy link
Contributor Author

gitchw commented Jan 6, 2025
edited
Loading

openssl x509 -in [证书路径]/public.crt -text -noout

使用这个命令看下证书信息呢,X509v3 Subject Alternative Name:看下这个字段里面有没有imap开头的域名。

2.8.0版本支持了imap协议,为了兼容老版本,因此更新证书的时候做了判断,如果证书不包含imap协议的域名,就强制重新生成证书

您看看是不是imap的证书有问题我用QQ邮箱绑定,不能正常收件,但根据上面您说的输出里面是有imap字段的

@Jinnrry
Copy link
Owner

Jinnrry commented Jan 6, 2025
edited
Loading

是不是中文域名的问题,我也不确定,看起来没啥问题。

你那里如果有go环境的话,可以执行这个用例看看程序输出啥

server/services/setup/ssl/ssl_test.go:14

@gitchw
Copy link
Contributor Author

gitchw commented Jan 6, 2025

是不是中文域名的问题,我也不确定,看起来没啥问题。

你那里如果有go环境的话,可以执行这个用例看看程序输出啥

server/services/setup/ssl/ssl_test.go:14

可以详细说说吗?我是docker运行的
您说的的是有imap证书嘛?但是QQ邮箱如果用的是imap协议现在也接收不到邮箱,只能用pop

@Jinnrry
Copy link
Owner

Jinnrry commented Jan 6, 2025

可能是检查证书是否匹配imap域名的时候失败,导致无限重新生成证书,和收信无关。

@gitchw
Copy link
Contributor Author

gitchw commented Jan 6, 2025

可能是检查证书是否匹配imap域名的时候失败,导致无限重新生成证书,和收信无关。

emmmm那为什么imap收不到呀……这个要怎么排除问题呀

@Jinnrry
Copy link
Owner

Jinnrry commented Jan 6, 2025

是IMAP拿不到邮件,还是PMail没收到信?网页端收到信了吗

@gitchw
Copy link
Contributor Author

gitchw commented Jan 6, 2025

是IMAP拿不到邮件,还是PMail没收到信?网页端收到信了吗

网页和pop都可以收到

@Jinnrry
Copy link
Owner

Jinnrry commented Jan 6, 2025

可能是imap协议实现有问题,imap我只用mac的邮件客户端测试过,还没用其他客户端测试过,等周末有空我再抓包看看

@gitchw
Copy link
Contributor Author

gitchw commented Jan 6, 2025

可能是imap协议实现有问题,imap我只用mac的邮件客户端测试过,还没用其他客户端测试过,等周末有空我再抓包看看

好的,我再补充一下,之前的版本都是正常,主要看他那个日志,明明上面,都已经获取成功验证通过了,为什么又重新获取了一次,还会崩溃呀,这个是实现逻辑有问题吗?因为第一次搭建多试了几次,重新部署结果就触发风控了,感觉这个问题是很容易触发的p(´⌒`。q)

@Jinnrry
Copy link
Owner

Jinnrry commented Jan 7, 2025

openssl x509 -in [证书路径]/public.crt -text -noout

使用这个命令看下证书信息呢,X509v3 Subject Alternative Name:看下这个字段里面有没有imap开头的域名。

2.8.0版本支持了imap协议,为了兼容老版本,因此更新证书的时候做了判断,如果证书不包含imap协议的域名,就强制重新生成证书

因为这个原因,2.8.0版本启动的时候会检查证书是否匹配imap域名。但是检查匹配的时候,函数入参写反了,因此证书检查不通过,导致循环生成证书,错误位置在这里

https://github.com/Jinnrry/PMail/pull/239/files#diff-3e9ca985832b5ae66ba96aa09b0357e9bdd3315622955b4b481d2a99f8c56409L293

@Jinnrry
Copy link
Owner

Jinnrry commented Jan 7, 2025

2.8.1已经修复这个bug了

@gitchw
Copy link
Contributor Author

gitchw commented Jan 7, 2025

2.8.1已经修复这个bug了

好的,那关于QQ邮箱等第三方客户端imap拉取不到邮件有修复嘛?我看你好像提到了,但我这里还是不行唉(QQ邮箱,oppo手机自带的邮箱都不行)

@Jinnrry
Copy link
Owner

Jinnrry commented Jan 7, 2025

QQ邮箱还没测试过,我是用的Mac的邮件和IOS邮件客户端测试的。等周末有空我试试QQ邮箱

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Jinnrry @gitchw